701 - Chapter 10

Question 1

What provides assurances that data has not been modified? And what verifies whether #DATA has retained this?

Answer 1

Integrity…hash

Question 2

What is a string of alpha numeric characters derived from performing a mathematical calculation on data such as a message, patch, or file? And what is special about this?

Answer 2

Hash… it cannot be reversed, engineered to re-create the original #DATA

Question 3

What is a common hashing algorithm used today?

Answer 3

SHA-3

Question 4

What ensures that data is only viewable by authorized users? And what are two methods to ensure this?

Answer 4

Confidentiality… encryption and access control

Question 5

What scramble #DATA to make it un unreadable if intercepted? It normally includes an algorithm and a key.

Answer 5

Encryption

Question 6

What form of encryption uses the same key to encrypt and decrypt?

Answer 6

Symmetric encryption

Question 7

What type of cipher encrypts data one bit at a time? And which cipher encrypts’s data and blocks?

Answer 7

Stream…block

Question 8

What encryption uses a public and private key created as a matched key pair?

Answer 8

Asymmetric encryption

Question 9

Which encryption requires PKI to issue certificates?

Answer 9

Asymmetric encryption

Question 10

And how do the private and public key work with asymmetric encryption?

Answer 10

Anything encrypted with the public key can only be decrypted with the matching private key and anything encrypted with the private key can only be decrypted with the matching public key

Question 11

What provides a level of confidentiality by hiding #DATA within other files?

Answer 11

Steganography

Question 12

What validates an identity?

Answer 12

Authentication

Question 13

What prevents a party from successfully disputing having performed an action?

Answer 13

Non-repudiation

Question 14

What provides authentication, non-reputation, and integrity?

Answer 14

A digital signature

Question 15

What is one of the main differences between a hash and checksum?

Answer 15

A check sum is typically a small piece of data and is used to quickly verify the integrity of the data and they are not intended to be crypto graphically secure

Question 16

What is an example of a check sum usage?

Answer 16

A 16 digit credit card, the last digit is a checksum and is used to verify that the first 15 numbers were entered correctly

Question 17

What is a common hashing algorithm that is discouraged from being used as a cryptographic cash? And in what instances is it still in use today?

Answer 17

Message Digest 5 MD5… To verify the integrity of Files similar to a checksum

Question 18

What does hash based message authentication code HMAC do that’s a little bit different than the other hashing algorithms?

Answer 18

It hashes using an initial hashing algorithm such as MD5 or SHA – 256, and then, using a secret key known only by the sender and receiver, it performs another hash

Question 19

In addition to integrity, what does HMAC also provide? And what often uses HMAC?

Answer 19

Authenticity because only the sender and receiver know the secret key… IPSec and TLS

Question 20

True or false hashing also encrypts the data?

Answer 20

False

Question 21

Which hash helps solve the problem of an attacker intercepting and modifying the hash and the contents of the message or file? And how/why?

Answer 21

HMAC… through the use of a shared secret known only by the two parties exchanging the data

Question 22

What hashing algorithm is recommended for password usage and why?

Answer 22

A strong algorithm such as SHA-3 with a salt…adding the salt protects against an attack against known common password hashes

Question 23

What occurs when the hashing rhythm creates the same hash from different inputs? And which hashing algorithm is highly susceptible to this?

Answer 23

A hash collision…MD5

Question 24

Which type of password attack attempts to guess the password of an online system?

Answer 24

Online attacks

Question 25

Which type of password attack attempts to guess the password stored within a downloaded file?

Answer 25

Off-line attacks

Question 26

As a system admin, how can you discover an online attack?

Answer 26

By reviewing the event log and looking for ID 4625, failed, log attempt and/or 4740, account lockout

Question 27

What type of attack attempts to avoid the account lockout but the logs will still show a large volume of failed log on attempts, but with a time lapse between each entry?

Answer 27

Spraying attacks

Question 28

What type of attack uses a listing of words and character combinations? And what protects against this type of attack?

Answer 28

Dictionary…complex passwords

Question 29

Which type of attack attempts to guess all possible character combinations? And what helps to protect against this type of attack?

Answer 29

Brute force… complex passwords

Question 30

What attack is when the attacker discovers the hash of the users password and then uses it to log onto the system as the user?

Answer 30

Pass the hash attack

Question 31

What is an indicator of a pass the hash attack?

Answer 31

Event ID 46224 with a log on process of NTLMSSP and/or an authentication package of NTLM

Question 32

What do birthday attacks exploit? What is good protection against a birthday attack

Answer 32

Collisions in hashing algorithms… Increasing the number of bits used in the hash to increase the number of possible ashes

Question 33

What is a rainbow table attack? What prevents against this type of attack?

Answer 33

An attack that uses a rainbow table which is a huge database of possible passwords with pre-computed hashes for each… salting

Question 34

What is a salt? And what types of attacks do salts protect against?

Answer 34

A set of random data that is added as additional characters to a password before hashing … Rainbow table attacks, brute force, dictionary attacks

Question 35

What is an advanced technique used to increase the strength of stored passwords by applying a cryptographic stretching algorithm to the salted password?

Answer 35

Key stretching

Question 36

What are three key stretching techniques? And which type of attacks do they protect against?

Answer 36

Bcrypt, PBKDF2, Argon2… brute force and rainbow table attacks

Question 37

Between data at rest, data in motion or data in use, which of these is not encrypted? What methods are used to ensure as much confidentiality as possible with this one?

Answer 37

DATA in use… Purging memory of any sensitive data after processing it

Question 38

What are the two elements for encryption methods?

Answer 38

The algorithm and the key

Question 39

What type of encryption always uses the same key to encrypt and encrypt the data?

Answer 39

Symmetric encryption

Question 40

True or false symmetric, encryption algorithms always use the same key?

Answer 40

False these keys are changed very often

Question 41

Which cipher divides large miles or messages into specific size blocks, 64 bit or 128 bit, and then encrypts each individual block separately? Which cipher encrypt #DATA has a stream of bites or bits rather than dividing it into blocks?

Answer 41

A block cipher… a stream cipher

Question 42

When is a stream cipher more efficient than a block cipher?

Answer 42

When encrypting data in a continuous stream such as with audio or video

Question 43

What is the current NIST standard and is a strong symmetric block cipher that encrypt data in 128 192 or 256 bit key sizes? an increase in key size results in what? And what is the block size used?

Answer 43

Advanced encryption standard AES… a stronger key which means stronger protection…128 bit

Question 44

What are three strengths to using AES?

Answer 44

It is fast, it is efficient and less resource intensive, it is strong

Question 45

What is a symmetric block cipher design as an improvement over the known weaknesses of the legacy data encryption standard DES? What is the block size used? Is it a suitable alternative to AES? And when is it used?

Answer 45

3DES or triple DES… 64 bit…yes, although it isn’t as fast or efficient as AES, it is a suitable alternative… in cases where legacy hardware doesn’t support AES

Question 46

What encryption uses two keys in a match pair to encrypt and encrypt data? And what are these two keys referred to as? What is a drawback to a symmetric encryption?

Answer 46

Asymmetric encryption… public and private keys… it is very resource intensive

Question 47

What is a digital document that typically includes the public key and other information on the owner of the certificate? And who issues these and manages these?

Answer 47

Digital certificate… certificate authorities CA

Question 48

How are public keys shared?

Answer 48

By a certificate owner sharing a copy of their digital certificate

Question 49

What are some other common elements on a digital certificate?

Answer 49

a CA issued serial number, the CA who issued the certificate, the validity, dates, subject, public key, key, key usage, certificate attributes (CN, organization, locality, state, country name)

Question 50

What refers to something that last a short time? And how does that work for ephemeral key pairs? And what is an important characteristic that these keys will be totally random (non deterministic)?

Answer 50

Ephemeral… they are used for a single session and then discarded…perfect forward secrecy

Question 51

What type of cryptography doesn’t take as much processing power as other cryptographic methods? And what is a key benefit?

Answer 51

Elliptic curve cryptography ECC… the ECC keys can be much smaller when compared with non-ECC keys

Question 52

What is the act of deliberately making something unclear, confusing, or difficult to understand… It is often used to conceal distort or obscure information to mislead or deceive? What are the three techniques of this?

Answer 52

Obfuscation…steganography, tokenization and masking

Question 53

What form of obfuscation hides data inside other data? How can this be detected? What are the three primary file types using this?

Answer 53

Steganography… using hashes… audio, image, video

Question 54

What is an obfuscation technique that replaces sensitive data with non-sensitive placeholders or tokens? And how does it work?

Answer 54

Tokenization… The sensitive data is stored in a separate database, called a token vault and has various unique tokens mapped to it for usage

Question 55

What is an obfuscation technique that partially or fully conceal sensitive data with character, symbols or other data?

Answer 55

Masking

Question 56

For email digital signatures, the senders private key does what and the senders public key does what?

Answer 56

Encrypts…decrypts

Question 57

For email encryption, the recipients public key does what and the recipients private key does what?

Answer 57

Encrypts…decrypts

Question 58

For website encryption, the website public key does what and the websites private key does what? And what encrypt data in the website session?

Answer 58

Encrypts…decrypts…symmetric key

Question 59

If a senders digital signature, which is the message hashed and encrypted with the senders private key, can be decrypted by the recipient using the senders public key, then what are the three security benefits provided?

Answer 59

Authentication, non-repudiation, integrity

Question 60

With digital signatures, what identifies the sender? what verifies the message has not been modified? And what prevent the senders from denying they sent the message?

Answer 60

Authentication, integrity non-repudiation

Question 61

True or false… When sending encrypted emails with asymmetric encryption, only the recipients keys are involved?

Answer 61

True

Question 62

True or false encrypting email with only asymmetric encryption is exceptionally fast?

Answer 62

False, it is slow and inefficient

Question 63

What is another way of encrypting email other than asymmetric only?

Answer 63

Using asymmetric to encrypt a symmetric key, and then using that symmetric key to encrypt the email contents

Question 64

What is the popular standard used for digitally signing and encrypting email?

Answer 64

S/MIME

Question 65

What are the three ports used for S/MIME?

Answer 65

Port 995, POP3 over TLS… port 587, SMTP over TLS… port 993, IMAP over TLS

Question 66

What is the replacement protocol for SSL? And what does it require? And what traffic can this protocol encrypt?

Answer 66

TLS… Certificates issued by a certificate authority… https traffic and others such as FTPS…

Question 67

What does HTTPS use asymmetric encryption for? And what does it use symmetric encryption for?

Answer 67

To securely share the symmetric key… To encrypt the sessions data

Question 68

What is another name for the symmetric key that is used for encrypting data and an hTTPS session?

Answer 68

A session key

Question 69

What is a type of attack that forces a system to downgrade its security? And what is this attack most often associated with?

Answer 69

A downgrade attack… cryptographic attacks due to weak implementations of cipher suites…

Question 70

How does a downgrade attack work?

Answer 70

If a server has both ELS and SSL installed, if the client is not able to use TLS, the server would downgrade it security and use SSL to accommodate the client. At that point SSL based attacks can occur.

Question 71

How do administrators protect against downgrade attacks?

Answer 71

By disabling weak cipher suites and weak protocols on the servers

Question 72

What is a distributed, decentralized, public ledger? And what is it also known as?

Answer 72

Block chain… a database of public records

Question 73

What are the three parts to each block in a block chain?

Answer 73

Information about a transaction, such as date, time and amount… information on the parties involved with a transaction, which is their digital signatures… a unique hash for the block

Question 74

What are the four things that have to happen for a block to be added to the block chain?

Answer 74

A transaction has to have occurred..:the transaction has been verified by network of computers…the transaction is accurately recorded in a block…the block is assigned a unique hash

Question 75

What is the algorithm limitation when considering resources?

Answer 75

The resource versus security constraints

Question 76

When is it advantageous to use a fast algorithm? And when is it advantageous to use a slow algorithm?

Answer 76

Encrypting and decrypting #DATA… when salting and hashing passwords

Question 77

When is size in computational overhead taken into consideration when choosing an algorithm?

Answer 77

When using smaller devices that don’t have adequate memory and processing power

Question 78

What refers to the randomness of a cryptographic algorithm? And what does a higher level of this mean?

Answer 78

Entropy… a higher level of security

Question 79

Why is a pseudo random number generator a problem with encryption?

Answer 79

Because it uses a deterministic algorithm, and if an attacker knows what’s used as the input, it increases the likelihood that they can predict the key

Question 80

What refers to how long you can expect to use an algorithm? And what impacts negatively and what positively?

Answer 80

Longevity… improvements in processing power and or increasing the key size

Question 81

True or false with symmetric encryption, it is OK to use the same keys in the same stream

Answer 81

False… if any key is used twice in the same stream, the algorithm is vulnerable to attacks

Question 82

What attack is possible if an attacker has some known plain text data and the cipher text created from this plain text?

Answer 82

A plaintext attack

Question 83

What is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates?

Answer 83

Public key infrastructure PKI

Question 84

What issues, manages, validates and revokes digital certificates?

Answer 84

A certificate authority CA

Question 85

It is important for a public CA to be what? And why? And what concept is this?

Answer 85

Trusted… If the CA is trusted, all certificates issued by the CA are trusted… root of trust

Question 86

How are CAs trusted on a computer?

Answer 86

By placing a copy of the root certificate in an operating systems trusted route certificate store

Question 87

What is the most common trust model? And what kind of CA does it use? And what kind of certificates can they issue?

Answer 87

The hierarchical trust model… an intermediate CA… leaf certificates to end entities such as organizations, governments, or end users

Question 88

What is when all certificates from the root CA down to the certificate issued to the end entities

Answer 88

Certificate chaining

Question 89

What is used to request a certificate? And what is the first step? What is it included in the request to the CA?

Answer 89

A certificate signing request CSR… to create the RSA based private key, which is then used to create the public key… the public key

Question 90

True or false the private key is also sent to the CA

Answer 90

False

Question 91

Why do large organizations typically keep the root CA off-line? And why is this important?

Answer 91

To reduce the risk of compromise… if the root CA is compromised, the entire certification path is compromised

Question 92

True or false when an intermediate CA is compromised the entire certification path is also compromised

Answer 92

False… The root CA can issue new intermediate certificates to replace the compromised ones

Question 93

What are the reasons a CA can revoke a certificate?

Answer 93

Private key compromise, CA compromise, change of affiliation, superseded by another certificate, cease of operation, certificate hold, certificate holders request

Question 94

What includes a list of revoked certificates and is publicly available? And what is an alternative to using this list? And how does it work and what does it return?

Answer 94

The certificate revocation list CRL… online certificate status protocol OCSP… the client will query the CA with the serial number of the certificate and the CA responds with a good, revoked or unknown status

Question 95

What are three issues that can result in an invalid certificate from the browser?

Answer 95

Certificate has expired, certificate is not trusted, certificate is revoked

Question 96

And what is an alternative to OSCP? And how does it work? And how does it help?

Answer 96

Stapling:.. The certificate presenter such as a web server appends the certificate with a timestamped digitally signed OSCP response from the CA… it reduces traffic to and from the CA

Question 97

What is a security mechanism designed to prevent attackers from impersonating a website using fraudulent certificates? And what is included in the response back to the client?

Answer 97

Certificate pinning… a list of ashes, derived from valid public keys, used by the website and a max age field defining how long to use the data

Question 98

What is the process of placing a copy of a private key in a safe environment called? And why is this done?

Answer 98

Key escrow.. if an organization determines that the loss of encrypted data is unacceptable, it will implement a key escrow process

Question 99

What is a centralized system or service responsible for the secure management of cryptographic keys using various security applications?

Answer 99

Key management system KMS

Question 100

What are some of the task handled by a KMS?

Answer 100

Key generation, key storage, key distribution, key rotation, key retirement/revocation/destruction

Question 101

What is a certificate issue to a device or computer commonly called?

Answer 101

Machine or computer certificates

Question 102

What do developers often use to validate the authenticity of executable applications or scripts?

Answer 102

Code signing certificates

Question 103

What type of certificate is not issued by a trusted CA but rather by a private CA, and they are not trusted by default?

Answer 103

Self signed

Question 104

What type of certificate starts with an asterisk and can be used for multiple subdomains if each domain name has the same route domain?

Answer 104

Wild card

Question 105

What type of certificate is used for multiple domains that have different names but are owned by the same organization?

Answer 105

Subject alternate name SAN

Question 106

Which base format for a certificate is in ACSII? and which is binary?

Answer 106

CER… DER

Question 107

Which is the most used certificate format and can be used for just about any certificate type?

Answer 107

Privacy enhanced mail PEM

Question 108

What type of file is commonly used to share public keys? Can they contain a private key?

Answer 108

P7B…never

Question 109

Which two file types are commonly used to hold the private key?

Answer 109

P12 and PFX